On Wednesday 19 November 2008, Paul Howarth wrote:
On Wed, 19 Nov 2008 13:00:18 -0500
Gene Heskett <gene.heskett(a)verizon.net> wrote:
> Greetings;
>
> Just recovering from a drive failure, and just now managed to get
> enough perl deps installed to run spamassassin.
>
> I modified the spamassassin script in /etc/init.d to run it as the
> same user that fetches the mail, also fixed the spamassassin
> in /etc/sysconfig to match, and according to htop, the spamd's are
> running as that user.
>
> But, selinux is still having a cow for every incoming message.
> =========
> Source Context: system_u:system_r:spamd_t:s0
> Target Context: system_u:object_r:home_root_t:s0
> Target Objects: ./user_prefs [ file ]
> ===temp end of snip
>
> >From that, here is that file:
>
> [root@coyote .spamassassin]# ls -l user_prefs
> -rw-r--r-- 1 gene gene 1164 2006-01-16 13:45 user_prefs
> [root@coyote .spamassassin]# ls -l --context user_prefs
> -rw-r--r-- gene gene system_u:object_r:home_root_t:s0 user_prefs
>
> ===back to troubleshooter output
>
> host=coyote.coyote.den type=AVC msg=audit(1227116423.127:797): avc:
> denied { write } for pid=7118 comm="spamd" name="user_prefs"
dev=sda3
> ino=74942440 scontext=system_u:system_r:spamd_t:s0
> tcontext=system_u:object_r:home_root_t:s0 tclass=file
>
> host=coyote.coyote.den type=SYSCALL msg=audit(1227116423.127:797):
> arch=40000003 syscall=5 success=no exit=-13 a0=9a83590 a1=8241 a2=1b6
> a3=8241 items=0 ppid=7116 pid=7118 auid=0 uid=501 gid=501 euid=501
> suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=1
> comm="spamd" exe="/usr/bin/perl"
subj=system_u:system_r:spamd_t:s0
> key=(null) =========
> Secondary Q: when are we going to be able to copy & paste from the
> selinuxtroubleshooter screen and preserve the ^%$*^%$( formatting?
>
> I have performed the troubleshooter recommended fix:
>
> setsebool -P spamd_enable_home_dirs=1
>
> and restarted spamassassin several times.
>
> Perms or context problem with the /home dirs?
>
> A bug?
>
> Or I need to do an autorelabel?
>
> The /home dirs, FWIW, were copied from another drive by mc & then
> 'chown -R user:user' when the copy was finished which may not have
> been the correct thing to do FAIK. But it was the only way I could
> preserve an email corpus that is in the 10Gb area for size.
>
> There are no entries for spamassassin or spamd in /etc/group that I
> could use to make that file a member of.
>
> Fix please?
Regular unix usernames and groups will make little difference to
SELinux. What you need is the right SELinux labelling for the files.
Try this:
# restorecon -RF /home/*/.spamassassin/
I can do this right now, hang on. Quick, less than a second. Now we wait to
see if it throw up another icon to match the incoming mail beep. Yes, it
took nearly a minute after procmail.log showed it, for it to get here, and
now another mail has arrived with no alert and denial.
Thanks Paul, and a big bow in your direction.
On F9 at least, I believe ~/.spamassassin should have context type
user_spamassassin_home_t rather than home_root_t which is what you seem
to have now.
If this fixes things for you, it's likely that there are other similar
issues that will need fixing up, and doing a relabel will be a good
idea when you can spare the time.
Paul.
I did a "touch /.autorelabel" about tuesday evening after one install, and it
seemed to be ignored on the reboot. Is that not the correct method?
Thanks again.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Sic transit gloria mundi.
[So passes away the glory of this world.]
-- Thomas `a Kempis